One of the most consequential and least understood aspects of GDPR is the question of who it applies to. The instinctive answer — European organisations — is correct but critically incomplete. GDPR’s extraterritorial provisions in Article 3 extend the regulation’s reach far beyond the borders of the European Union, to any organisation anywhere in the world that meets certain conditions in relation to EU residents. For organisations based in Asia, the Americas, Africa, or any jurisdiction outside the EU, this extraterritorial reach is the single most important feature of GDPR to understand before anything else.
This article explains the three territorial grounds on which GDPR applies, how supervisory authorities interpret and enforce them in practice, what the Article 27 EU representative requirement means for non-EU organisations, and the practical steps that organisations outside the EU must take once they determine that GDPR applies to them.
Article 3: The Three Grounds for GDPR Applicability
Article 3 establishes three distinct grounds on which GDPR applies to an organisation. Each ground is independent — an organisation that meets any one of them is subject to GDPR for the processing activities covered by that ground.
The first ground, Article 3(1), is the establishment ground. GDPR applies to the processing of personal data in the context of the activities of an establishment of a controller or a processor in the EU, regardless of whether the processing takes place in the EU or not. If an organisation has an establishment — any stable arrangement for carrying out activities, however minimal — in an EU member state, and personal data is processed in the context of that establishment’s activities, GDPR applies. The processing itself does not need to take place in the EU. A US company with a sales office in Germany that processes customer data on US servers is subject to GDPR for that processing.
The second ground, Article 3(2), is the targeting ground — and it is the one that catches most non-EU organisations by surprise. GDPR applies to the processing of personal data of data subjects who are in the EU by a controller or processor not established in the EU, where the processing activities are related to: (a) the offering of goods or services to such data subjects in the EU, irrespective of whether a payment of the data subject is required; or (b) the monitoring of their behaviour as far as their behaviour takes place within the EU.
The third ground, Article 3(3), applies to processing by a controller established in a place where member state law applies by virtue of public international law. This covers diplomatic missions and consular posts of EU member states and is relevant to a narrow category of organisations.
The Establishment Ground in Detail
Establishment under GDPR does not require formal legal incorporation in the EU. The Court of Justice of the EU has interpreted establishment broadly: any stable arrangement, through any form, for carrying out an economic activity is sufficient. A small subsidiary, a representative office, a branch, a permanent agent, even a single employee habitually present in a member state conducting business activities, can constitute an establishment.
The critical second element of Article 3(1) is the ‘in the context of’ connection. Processing must occur in the context of the EU establishment’s activities — not merely alongside them. If a US parent company processes customer data for its global operations and its German subsidiary is purely a local sales team that does not handle that data, the US parent’s processing may not be within scope. But if the German subsidiary is involved in the activity that gives rise to the processing — even if it does not directly handle the data — the connection is established.
| IMPORTANT | The establishment ground applies even if the processing takes place entirely outside the EU. A UK company (post-Brexit) that processes EU customer data on servers in London, through an EU establishment (such as an Irish subsidiary), is subject to GDPR for that processing. The location of the servers is irrelevant to the establishment analysis. |
The Targeting Ground: Offering Goods or Services to EU Residents
Article 3(2)(a) applies to organisations that offer goods or services to data subjects in the EU. Two questions must be answered: Is the organisation offering goods or services? And are those goods or services being offered to data subjects in the EU?
The first question is straightforward for most organisations. Any commercial activity that involves providing something of value — products, software, digital content, professional services — to individuals constitutes the offering of goods or services. Free services are explicitly included: GDPR’s Article 3(2)(a) specifies that payment is not required.
The second question — whether the offering is directed at EU residents — is where the analysis becomes nuanced. Recital 23 of GDPR provides the key interpretive guidance: the mere accessibility of a website from the EU is not sufficient. What matters is whether the controller ‘envisages offering services to data subjects in one or more member states in the EU’. Factors that demonstrate this intention include: the availability of the website in an EU language (other than a language commonly used outside the EU); the acceptance of EU currency as payment; the mention of EU customers or users; the availability of EU-specific marketing, localisation, or customer support; delivery or service availability in EU member states.
| KEY IDEA | An Indonesian e-commerce platform that accepts orders from EU customers, ships to EU addresses, and displays prices in Euros is offering goods or services to EU residents. GDPR applies to its processing of those customers’ personal data regardless of where the company is based, where its servers are located, or whether it has ever considered itself subject to EU law. |
The ‘in the EU’ element of Article 3(2)(a) refers to data subjects who are in the EU at the time of the processing activity, not their citizenship or habitual residence. An EU citizen temporarily in Singapore is not a data subject in the EU for these purposes. A non-EU citizen temporarily in France is a data subject in the EU. The test is physical presence at the time, not nationality or residence.
The Targeting Ground: Monitoring Behaviour in the EU
Article 3(2)(b) applies to organisations that monitor the behaviour of individuals in the EU — tracking their activities online, their movement, their purchasing behaviour, or any other behavioural characteristic — to the extent that their behaviour takes place within the EU.
Recital 24 provides interpretive guidance: processing that can be considered behaviour monitoring includes tracking individuals on the internet with data processing techniques including profiling of a natural person, in particular in order to take decisions concerning her or him or for analysing or predicting her or his personal preferences, behaviours, and attitudes.
This provision catches a wide range of digital analytics activities: website analytics that track individual users’ behaviour; advertising retargeting that follows individuals across websites; location tracking through mobile applications; behavioural scoring for insurance or credit; IoT monitoring of individuals in physical spaces. Any organisation that systematically tracks the online or offline behaviour of individuals physically present in the EU is subject to Article 3(2)(b) for that processing, regardless of where the organisation is based.
What Applicability Means: The Full Scope of Obligations
An organisation that falls within GDPR’s scope under any of the Article 3 grounds is subject to the full set of GDPR obligations for the processing activities that trigger applicability. There is no reduced or simplified compliance track for non-EU organisations. The obligations are the same: establish a lawful basis for each processing activity, implement the six data protection principles, respond to data subject rights within statutory timeframes, implement appropriate technical and organisational measures, maintain records of processing activities, conduct DPIAs where required, and be able to demonstrate compliance.
For non-EU organisations without an EU establishment, the accountability obligations extend to appointing a representative in the EU under Article 27, maintaining records of processing activities under Article 30, and cooperating with supervisory authority investigations. Failure to appoint a representative where required is itself a GDPR violation that DPAs have begun investigating and sanctioning.
The Article 27 EU Representative Requirement
Article 27(1) requires controllers and processors not established in the EU but subject to GDPR under Article 3(2) to designate in writing a representative in the EU. The representative must be established in one of the EU member states where the data subjects whose personal data is processed in connection with the offering of goods or services to them, or whose behaviour is monitored, are located.
The EU representative serves as a contact point for supervisory authorities and data subjects in matters related to GDPR compliance. It does not take on legal liability for the non-EU controller’s compliance — that remains with the controller. But it must be accessible to DPAs and respond to their enquiries, and data subjects may contact the representative to exercise their GDPR rights.
Article 27(2) sets out the exemptions: the representative requirement does not apply to processing that is occasional, does not include on a large scale processing of special categories of data or data relating to criminal convictions and offences, and is unlikely to result in a risk to the rights and freedoms of natural persons. This is a narrow exemption. Most commercial processing activities — particularly those involving systematic e-commerce or digital services — do not meet all three criteria simultaneously.
| IMPORTANT | EU representative services are available from specialist providers in most major EU jurisdictions. The representative must be able to respond to DPA enquiries and data subject rights requests promptly and accurately. Designating a nominal representative without the practical capability to fulfil the role does not satisfy the Article 27 obligation and exposes the non-EU controller to continued enforcement risk. |
Enforcement Against Non-EU Organisations
The practical question for many non-EU organisations is whether GDPR enforcement against them is realistic. The honest answer is: increasingly, yes. Supervisory authorities have demonstrated willingness to investigate and sanction non-EU organisations, and the mechanisms for doing so are more developed than they were in the early years of GDPR enforcement.
Article 83 fines can be imposed on non-EU controllers and processors. DPAs can issue enforcement orders that, while not directly executable in non-EU jurisdictions, have practical consequences: they can be publicised, affecting commercial reputation; they can trigger investigations by other regulators with whom EU DPAs cooperate; and they can result in orders requiring EU data subjects to exercise their rights, putting operational pressure on non-EU organisations that continue to serve EU markets.
The more immediate enforcement risk for most non-EU organisations is commercial rather than regulatory. European enterprise clients require GDPR-compliant data processing agreements. Procurement processes include GDPR compliance assessments. A non-EU organisation that cannot demonstrate GDPR compliance — because it has not assessed its applicability, has not implemented required measures, and has not appointed an EU representative — will fail these assessments and lose contracts.
GDPR Applicability for Indonesian Organisations
For Indonesian organisations, the extraterritorial question is not hypothetical. Indonesia’s growing technology sector, its expanding e-commerce ecosystem, and its increasing integration into global digital supply chains create multiple pathways through which Indonesian companies become subject to GDPR.
An Indonesian fintech serving EU-resident customers — including EU-resident Indonesians, expatriates, or European nationals — is offering financial services to data subjects in the EU. GDPR applies. An Indonesian SaaS company with EU enterprise clients is offering software services to businesses in the EU and processing the personal data of their EU employees and customers. GDPR applies. An Indonesian data analytics company that processes EU data on behalf of EU-based clients is a processor subject to GDPR obligations. An Indonesian marketplace that accepts EU buyers and ships to EU addresses is offering goods to data subjects in the EU. GDPR applies.
| BITLION INSIGHT | Indonesian organisations sometimes assume that GDPR is a European concern that does not reach them until they establish a formal EU presence. This is incorrect. The targeting ground in Article 3(2) is specifically designed to apply to organisations without EU establishments. The relevant question is not where the organisation is based — it is whether the organisation’s services are directed at or used by EU residents. |
The parallel between GDPR and Indonesia’s UU PDP provides an important strategic dimension. UU PDP adopts an extraterritorial scope provision similar to GDPR: it applies to any party that has a legal relationship with Indonesian data subjects or whose actions have consequences in Indonesia, regardless of where they are established. Indonesian organisations building a GDPR compliance programme are therefore simultaneously advancing their UU PDP compliance and developing a privacy governance capability that positions them for the increasingly privacy-conscious global market.
Practical Steps for Non-EU Organisations Subject to GDPR
Organisations that determine they are subject to GDPR under Article 3 should take the following steps in sequence. First, document the basis for applicability — which Article 3 ground applies, which processing activities it covers, and which data subjects it relates to. This scoping document is the foundation for the compliance programme.
Second, assess whether the Article 27 EU representative requirement applies. If the processing is not occasional or involves more than minimal data subject populations, the representative requirement almost certainly applies. Identify a suitable representative — either an internal entity if the organisation has any EU presence, or a specialist third-party service — and document the designation in writing.
Third, build or adapt the GDPR compliance programme to cover the identified processing activities. This includes lawful basis documentation for each processing activity, implementation of the data protection principles, technical and organisational security measures, records of processing activities, data subject rights procedures, and breach notification protocols. The subsequent articles in this knowledge hub address each component in detail.
Fourth, review commercial agreements with EU counterparties. Where the organisation processes EU personal data on behalf of EU controllers, Data Processing Agreements are required under Article 28. Where the organisation transfers EU personal data outside the EU (including to Indonesia, which is not an EU-adequate country), transfer mechanisms — Standard Contractual Clauses or other Article 46 mechanisms — must be in place.
Fifth, maintain the compliance programme as a living system. GDPR compliance is not a one-time project. Processing activities change, regulatory guidance evolves, and enforcement priorities shift. An organisation that builds GDPR compliance and then treats it as complete is likely to find itself non-compliant within a few years. Article 5(2)’s accountability principle requires ongoing demonstration of compliance, not a historical snapshot.
| KEY IDEA | The extraterritorial scope of GDPR is one of the primary mechanisms by which European data protection standards have become global standards in practice. Organisations that trade with, serve, or employ EU residents — regardless of their own jurisdiction — are expected to meet GDPR standards. Building genuine GDPR compliance is therefore not merely a European market requirement. It is increasingly a prerequisite for participation in the global digital economy. |